The DarkSide Hacker Group: Who Are They and What Have They Done?

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Since the inception of the internet, some users have been looking for ways to misuse it. As a result, we now have numerous cybercriminal groups that are very skilled in compromising different systems and making money off of them. Some target individuals, while others go exclusively against large corporations, hoping for bigger rewards.

Now and then, we learn about such entities after they’ve successfully performed an attack. The DarkSide hacker group is a perfect example; our article will go over everything you need to know about them, how they operated, and ultimately brought down one of the most significant US pipeline companies.

Who Was the DarkSide Ransomware Hacker Group?

DarkSide was a cybercriminal team that made waves in July 2020 when it started targeting businesses worldwide. As we know, ransomware prevents users from using their devices or networks until the required amount of money is paid to the entity hijacking it.

They claimed to be a modern-day Robin Hood group that would never go after healthcare or non-profit organizations, but would instead focus on big companies. They claimed that they often donated to charity as part of their mission.

Although it is most likely that the DarkSide hackers were mainly located in Russia and some other Eastern European countries, DarkSide didn’t seem to be state-sponsored. The members came from different parts of the world, including Russia and the former Soviet states, but also from Iran, North Korea, Syria, and China.

This hacking group adopted the Ransomware-as-a-Service (RaaS) model, which means they rented their software to third parties. The profit was split between the partners, affiliates, and holders, and the group took around 25% of the gains after successful attacks.

The Colonial Pipeline Hack

The most significant attack the DarkSide ransomware group carried out was against the Colonial Pipeline Company, which shut its operations down for five days in May 2021. Eventually, the corporation paid a ransom of nearly 75 Bitcoin (around $5 million) to get its data back and resume working.

DarkSide went after the pipeline’s digital systems, affecting airlines and consumers across the US East Coast. The authorities were involved, and the FBI even offered $10 million in prize money to anyone who could provide identifying information about the location or leading members of the DarkSide group.

The bad actors managed to steal 100 GB of data in a matter of hours. DarkSide took control of the IT network, disabling several systems, such as accounting and billing. The pipeline temporarily shut down its operations to prevent the damage from spreading. However, they didn’t manage to stop the attack and had to pay the ransom.

So, how did such a significant company fall victim to the attack that cost it $5 million? Believe it or not, the reason DarkSide’s ransomware attack successfully hacked the Colonial Pipeline was that one of the employees reused a VPN password.

According to the Colonial Pipeline CEO, Joseph Blount, after the attackers obtained the password, they could log in because multifactor authentication was not enabled, meaning only the password was enough to penetrate the system successfully.

Cybersecurity experts criticized the pipeline officials for this blatant security failure. After all, most internet users use several protection layers for their accounts (e.g., a text message code they need to log in, even with the correct password). In retrospect, this DarkSide hack seems easily preventable.

Blount was later questioned by the senators about the company’s response and timeline, specifically about the pipeline shutting down, which resulted in panic buying and higher gasoline prices. Blount said the temporary shutdown happened because they feared the entire system could be affected and the damage could have been greater.

Some senators stated Colonial Pipeline didn’t consult the US government regarding its decision to pay the ransom for the DarkSide cyber attack.

Blount said it was his understanding that the decision about the ransom was up to the company. He added that the company didn’t have a ransomware counter-strategy, but that the FBI was contacted within hours, and that the company invested more than $200 million in IT systems beforehand.

As mentioned, the DarkSide criminal gang was believed to be primarily located in Russia and other Eastern European countries. Still, President Biden said there was no evidence of Russia’s involvement in the hack. 

This hack almost immediately affected the airline industry, because many carriers weren’t able to continue operations. Moreover, there was a rush of panic buying and a spike in gas prices.

All of this only highlighted how poorly the government was prepared for such an attack, despite its many supposed preparation drills. Even though the DarkSide hackers later confirmed that money was their only motive, i.e., that it wasn’t an espionage or military sabotage mission, the country’s security systems should have held up better.

In the aftermath of this attack, the government set out to work on solutions to mitigate and prevent such attacks from happening again.

One example was the Biden administration’s executive order 14028 for improving the nation’s cybersecurity in May 2021. The benefit of this system was keeping all security components up to date, enabling a quicker response to new threats. Users can perform vulnerability analysis with the order’s accompanying Software Bill of Materials (SBOM) if they want to evaluate the level of risk a particular product carries.

Who Was DarkSide Targeting?

DarkSide chose their victims based on their financial records, and decided what amount of money was required for ransom according to that. The sums ranged from $200,000 to $2 million. Since its inception, DarkSide has affected over 90 businesses and stolen more than 2 TB of data.

According to available data, this group mainly targeted companies in the finance and manufacturing industries and claimed they avoided attacking educational institutions, the public sector, and healthcare organizations.

The US was the most commonly targeted country, followed by Canada, Belgium, and France. The DarkSide hacker organization initially went after English-speaking countries. The Commonwealth of Independent States (CIS) countries were spared, which is why some believe the DarkSide actors reside there. What’s more, some of them don’t persecute cyberattackers as long as their targets are foreign.

How the DarkSide Attacks Worked

DarkSide employed various methods for penetrating the networks of their victims, similar to the way other ransomware groups operate. Usually, it combined stolen credentials and manual hacking with different penetration testing tools, some of which were used for the DarkSide gas hack.

Before deploying ransomware, the group identified critical servers, escalated privileges, and disabled and deleted backups. When everything is done, the victim is notified that their systems are immobilized and that they need to pay the ransom if they want their data back.

DarkSide’s affiliates used similar techniques. They bought stolen credentials, used brute-force and dictionary attacks, and infected machines with botnet malware to compromise them. 

The DarkSide gang used the Linux versions of RSA-1024 and Salsa20 encryption. If it had been Windows, the encryption would have been aborted, as that OS is programmed to check system language for the former Soviet Bloc languages.

Bottom Line

Hacking groups use different methods to steal data and extort money. Their success usually depends on how skilled they are and how well-protected the victim’s systems are. In the case of DarkSide and the Colonial Pipeline, it was a mix of both.

Although the DarkSide website is no longer accessible, and the group announced they’re no longer active after increasing pressure from the US government, we can’t know for sure if that’s true. Like many similar ransomware groups, they might have announced a shutdown only to escape the public’s attention and could be planning another full-scale attack.

Incidents like this show how critical systems of major companies can be highly vulnerable and that more effort is required to secure sensitive data, protecting businesses and individuals alike.

Leave a Comment

Scroll to Top